Setting Up an Encrypted Connection Between a Host and a SunScreen SPF-100

Figure 5-2 depicts the configuration of an encrypted connection between a host and a SunScreen SPF-100.

Figure 5-2 Communicating with a SunScreen SPF-100

In this case, both the host and the SunScreen SPF-100 must

1. Install a SunCA X.509 key of the same encryption strength.

2. Manually exchange certificates.

3. Use SKIP protocol Version 1.

4. Have an IP address or remote name.

5. Use the same algorithm that includes authentication, key encryption, and traffic encryption.

6. Enable SKIP.

A machine must also have a local identity. Hosts can have many identities, but the user must choose one with which to communicate to the remote host. This local identity consists of the local key type and the local key name.

X.509 certificates and keys must be used when speaking to a SunScreen SPF-100. The physical diskettes containing the public keys must be physically exchanged.

The only method of exchanging key IDs is to have each user run skiptool, then call each other on the telephone and type the other's key ID in the Remote Key ID field in the Add window.

The ACL for both the host and the SunScreen SPF-100 must be configured with each other's address. The host must also include the addresses of any networks and hosts attached to the SunScreen SPF-100 in its ACL. The SunScreen SPF-100 does not really use ACL: It uses packet filtering rules. These rule must be set to "match" the ACL on the host running SunScreen SKIP.